Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11212
Views
6
Helpful
10
Replies

SNMPv3 with AES256 not working in Cisco Routers

pgyogeshkumar
Level 1
Level 1

‎06-02-2016 07:22 AM

We have configured SNMPv3 with AES256 encryption in Cisco routers available in our network.

However we see that devices are unable to manage from NMS if we configure with AES256 whereas  with AES128 its getting discovered properly.

Even we tried snmpwalk with AES256  from NMS but no success, however with AES128 snmpwalk is successful,

We even tried using other tools apart from NMS for snmpwalk but still with AES256 alone is unsuccessful.

Please confirm whether cisco routers will support snmpv3 with AES256. Is there any way to check and diagnose in routers that AES256 is supported in Routers ?

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-02-2016 12:53 PM

Most routers and switches with relatively recent code (say the last 4-5 years or newer) will support AES-256 for SNMPv3 privacy.

However, not all management systems will support it. For instance, Cisco Prime Infrastructure does not (as of the current latest release 3.1):

Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/administrator/guide/PIAdminBook/config_server_settings.html#22136

  • snmpv3_privacy_type:SNMP V3 privacy type. Can be None or DES or CFB-AES-128

What is your NMS product and version?

0 Helpful

pgyogeshkumar
Level 1
Level 1
In response to Marvin Rhoads

‎06-02-2016 01:09 PM

Hi

Is there any way to confirm that snmpv3 with aes256 is working properly from router end ? By means of any show commands ?

Please confirm is there any freeware that support SNMP v3 with aes256, to get that checked from device .

I read in some document that for aes256 it will use separate usm-ext MiB.. however I don't understand that exactly. How to check if I have this MiB in router ?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pgyogeshkumar

‎06-02-2016 08:22 PM

I am not sure any products or even freeware tools will allow you to query using AES256 (or 192). Neither has been adopted per se:

http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption

If you "show snmp user" you can see the configured privacy protocol. As shown here, you can add users with AES256 parameter - but it's mostly academic as no products that I know of support it.

CORE#show snmp user
User name: cprime
Engine ID: 800000090300A46C2A35E974
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: <redacted>

User name: testuser
Engine ID: 800000090300A46C2A35E974
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES256
Group-name: testgroup
0 Helpful

pgyogeshkumar
Level 1
Level 1
In response to Marvin Rhoads

‎06-14-2016 03:22 AM

Hi Marvin

Thanks for your help,

SNMPv3 with AES256 encryption is working now with our network devices

0 Helpful

Yogei
Level 1
Level 1
In response to pgyogeshkumar

‎07-12-2023 04:21 AM

Hello pgyoges - what are the steps you had followed up to resolve aes 256 got discovered

0 Helpful

Louis Moreno
Level 1
Level 1
In response to Marvin Rhoads

‎04-18-2017 09:46 AM

Marvin --

I'm having trouble accessing my ASRs via SNMP V3 since it only allows me to enter credentials for CFN-AES-128 when I enter my parameters on Cisco Prime v 3.1

What can do to overcome this issue and configure Prime to be able to use AES-256

Thank you in advance,

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Louis Moreno

‎04-18-2017 10:05 AM

As I mentioned earlier, Prime Infrastructure does not support AES-256 for SNMPv3 privacy. That remains the case with the current 3.1.5 update. 

Reference:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1-5/administrator/guide/PIAdminBook/config_server_settings.html?bookSearch=true

0 Helpful

Louis Moreno
Level 1
Level 1
In response to Marvin Rhoads

‎04-18-2017 11:01 AM

Thanks Marvin. There is a forum where I found that Prime can be configured to support AES-256. I'm going to test it in my environment and will let you know how it goes.

Thanks again!

0 Helpful

Robert Reese
Level 1
Level 1

‎08-12-2016 06:52 AM

FYI - if you are having trouble getting a third party SNMP tool to work with Cisco AES192/256, then it is probably because Cisco implemented this in a different way from the draft standard.

The draft standard for AES192/256 is:
https://tools.ietf.org/html/draft-blumenthal-aes-usm-04

and specifies a private key localization method for generating the needed private 192/256 bit key from the secret.  

However, Cisco used the key localization method for the 3DES draft standard for their AES192/256 key
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00

so this breaks some third party SNMP tools (i.e., SnmpGet from SnmpSoft does not work, but Solar Winds MiB browser does work).  Extreme Networks has followed Cisco's lead on this, so it seems like Cisco has established a de-facto standard for this. 

nostajan1
Level 1
Level 1

‎08-09-2022 11:17 PM

'AES-256' is supported from net-snmp 5.8 and later, and cisco should use 'AES-256-C' protocol instead of 'AES-256'.

http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption

ex (net-snmp v5.9.3)> snmpwalk -v3 -l authPriv -u user -a SHA -A "PASSPHRASE" -x AES-256-C -X "PASSPHRASE" 1.1.1.1 sysName

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card